Programs and Model data accessible within public access

[huuaho]

The file here https://github.com/CBIIT/bento-RI-backend/blob/master/src/main/resources/graphql/bento-extended-public-es.graphql

has defined the PublicGlobalSeach to include the model and programs content. This creates a vulnerability where, someone could write a query to access the data despite not having proper access.

To recreate the issue use this provided graphQL query

query PublicGlobalSearchQuery($input: String, $first: Int, $offset: Int) { publicGlobalSearch(input: $input, first: $first, offset: $offset) { about_count programs{ program_name } model{ type node_name } } }

pointed to this endpoint

https://bento-qa2.bento-tools.org/v1/public-graphql/

Your query variable could be
"input"="a"